Creating a TCP .net iRule to reject IP

Question

Hello All,&nbsp;
&nbsp;I am tring to block IPs that are not on a "White List" and log the rejections.
&nbsp;Because this is an application using .net and TCP I can not use the HTTP profile. I have tried to modify code that i found on this site and
&nbsp;can not find any other information on this. Could some point me in the correct direction.&nbsp;
&nbsp;I have included what I am trying to do.&nbsp;&nbsp;
&nbsp; Blocks all ip requests that are not on the data group list "IPs", and logs rejects&nbsp;
&nbsp;when Client_Access { 
&nbsp; if {[matchclass [IP::client_addr] equals $::IPsTest]}{ 
&nbsp; } else { 
&nbsp;  log local0.info "WirelessCDL: Client Rejected IP:[IP::client_addr]" 
&nbsp;  discard 
&nbsp; } 
&nbsp;}&nbsp;&nbsp;
&nbsp;Thanks,
&nbsp;David&nbsp;

naladar_65658 · Answer

You might try giving this a shot:

when CLIENT_ACCEPTED {
if {not ([IP::addr [IP::client_addr] equals $::IPsTest]) } {
log local0.info "WirelessCDL:  Client Rejected IP:[IP::client_addr]"
discard
}
}

chris_miller · Answer

What version are you using? If you're using a newer version of 10.x, this will be the best way to do it. 
  
 when CLIENT_ACCEPTED {
if { !( [class match [IP::client_addr] eq IPsTest] )} {
discard
log local0. "WirelessCDL: Client Rejected:[IP::client_addr]"
} }

If you're on an older version: 
  
 when CLIENT_ACCEPTED {
if { !( [matchclass [IP::client_addr] eq $::IPsTest] )} {
discard
log local0. "WirelessCDL: Client Rejected:[IP::client_addr]"
} }

Using $:: disables CMP but I can't recall whether you can reference DGs without "class match"

chris_miller · Answer

Posted By naladar on 08/13/2010 06:46 AM

You might try giving this a shot: 
  
 when CLIENT_ACCEPTED {
if {not ([IP::addr [IP::client_addr] equals $::IPsTest]) } {
log local0.info "WirelessCDL:  Client Rejected IP:[IP::client_addr]"
discard
}
}

You have to use matchclass or class match to reference a datagroup, right?

david_peters_19 · Answer

Chris, Thanks  
&nbsp; Thanks also naladar. 
&nbsp;  
&nbsp; I am still on 9.4.7. This seems to work with the demo laptop that I have. 
&nbsp;  
&nbsp; David

Forum Discussion

Creating a TCP .net iRule to reject IP

4 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

POC: Create and sign a JWT with iRule

Create a DevCentral account

irule reject request when payload field is null

Need to create irule

Creating iRules LX via iControl REST